Google Reveals Actively Exploited Windows Kernel Vulnerability

Status
Not open for further replies.

ah

Reputable
Oct 29, 2014
69
0
4,630
0
My windows updated Flash security on 28 Oct, but I don't think it also included the windows bug fix.
 

Tanyac

Reputable
Aug 30, 2014
745
8
5,415
153
I'm wondering, given Microsoft's new "monthly" patch cycle whether they will even both to do anything until the November patch release.

Since Microsoft has clearly demonstrated with recent policy changes that customer safety, satisfaction and sanity are the least important things to them I'd not be surprised if we don't see a patch for at least another week, maybe more...
 

WFang

Reputable
Dec 10, 2014
130
0
4,680
0




Guys, NOT disclosing details of a vulnerability that is ACTIVELY being exploited in the wild is a far greater insanity!
Sure, you can easily argue that any sane find+patch+Quality Control cycle on such a bug would be more than 7 days, that is rather irrelevant. It is MUCH more important to get the warning out to IT and SysAdmins (of critical infrastructure and functions).

It's like complaining about how it is 'plain insanity' to expect fire-fighters to completely put out and control a fire in a 40 story hotel within 1 hour and that therefore one should not alert new and existing guests of the hotel that there is, in fact, a fire going on. "Nah, let them into the lobby man, the firefighters only had an hour to work on this, no reason to alert anyone just yet"...

Clearly, it would take longer to put out such a fire; and clearly, all the guests and prospecting guests need to be alerted ASAP.
The two actions are not mutually exclusive!
 

gggplaya

Distinguished
Jan 27, 2011
1,129
93
19,390
18


They give 90 days to lower risk and lower actively exploited vunerabilities. But for high risk and highly actively exploited attacks, they only give 7 days and light a fire under microsofts butt to fix it. Otherwise, microsoft might be relaxed and wait the full 90 days to fix it. Leaving us consumers under attack for the full 3 months.
 

gggplaya

Distinguished
Jan 27, 2011
1,129
93
19,390
18


Letting the public know they're being attacked is strongarm?
 

Jan_26

Commendable
Jun 30, 2016
247
0
1,760
41
I don't mind strong arm, but the deadlines need to be possible to reach. This way only thing Google reaches is just significantly increased security risk.
To paraphrase WFang, it's equivalent to go and tell band of pyromaniacs there is unguarded wagon of nitroglycerine parked on main street.
 

XaveT

Distinguished
Jul 15, 2013
190
0
18,760
27
But the pyros ALREADY KNOW about the wagon (since it's already actively being exploited). The wagon owners don't know that the pyros know it's there (consumers/professionals don't know the attack exists so they can't protect against it or watch out for the attacks)
 

bit_user

Splendid
Ambassador
Let's step away from the analogies, for a minute.

Look, the real question is whether 7 days is enough. Google seems to think so, and I happen to agree. For most of these security flaws, the fix can be coded in an hour and is relatively isolated. For most of these changes, 24-48 hours of testing should be more than enough. Google is hardly new to software development, and Android is certainly nearing the complexity of Windows.

It's true that there are some security flaws that are more systemic and require a much bigger lift, but I'm sure Google would be reasonable if MS reached out to them and explained the situation and what they're doing about it.
 

alextheblue

Distinguished
Apr 3, 2001
3,078
106
20,970
2


Yes let's set aside the bad analogies. Bit, that would be a great idea. You should suggest it to Google. They have some flexibility on their 90 day reveals. But the other policy? Currently, if MS says give us more time, Google says sorry can't do that. Tell your guys to sleep in the office and miss the kid's piano performance. Their deadline for this type of "actively exploited" vulnerability is a hard 7 days and that's the reality of the situation.

Regarding Android, it's gotten more complex but still not on the level of Windows. So I'm not sure how much relevance that has. Either way, Google didn't set that deadline for themselves, but rather for other vendors (competitors). If they find a critical currently-exploited vulnerability in their own code, they might conveniently forget to start the clock on the 7 day deadline. Sadly when they patch Android, who knows if/when the patch will migrate to most of the devices on the market.
 

Jan_26

Commendable
Jun 30, 2016
247
0
1,760
41


Tbh, I wouldn't miss an event like "kid's piano performance". There are plenty developer jobs, but events with your kids are unrepeatable and irreplacible.
 

virtualban

Distinguished
Feb 16, 2007
1,232
0
19,280
0
M$'r lawyers and bureaucrats need more time to find programmers and engineers ready to try fix the bugs in secret and take the blame for any failure and delay.
 

alextheblue

Distinguished
Apr 3, 2001
3,078
106
20,970
2


Exactly what I was trying to imply. Engineers have lives too. If seven days isn't enough, it's not enough. Google doesn't see it that way when it's a competitor's product. If they find an issue in their own code, exploited or not, they fix it on their own timetable. It's an unfair policy, and they need to be more flexible.
 

alextheblue

Distinguished
Apr 3, 2001
3,078
106
20,970
2
MS says they are currently working with multiple industry participants to test the patch and expect to release it on the 8th. Similar to Chrome on Win10, Edge on Anniversary Update is unaffected.
 

alextheblue

Distinguished
Apr 3, 2001
3,078
106
20,970
2


LOL. As you well know, the actual intrusions took place some time ago. There were ways to better secure the devices in question, regardless. Having little to no additional security in place for important systems is a mistake. Also given how recently Google notified them, I'd say their response was pretty fast. Couple of weeks basically including testing.

Anyway, don't want dirty laundry aired? Don't have quite so MUCH dirty laundry TO air. What a treasure trove of emails. Pick a better candidate. Even Bernie would have been a better pick in some regards. On the other side I'd have liked to see Fiorina be more aggressive and gain more traction. Regardless Putin plays both sides, he's worked with the Democrats as well - how quickly we forget Obama's (oops is that camera on) moment of "flexibility" with Putin, and the Russians funneling millions to the Clinton Foundation. Putin is showing the Obamas and the Clintons alike how little he thinks of them and their previous "understanding".

Something else hilarious: Neither candidate knows squat about "The Cyber" or how to secure it!
 

Jan_26

Commendable
Jun 30, 2016
247
0
1,760
41


Well, the fact they don't know anything about cyber wouldn't be that serious if they followed guidance of specialists who do. After all it's impossible to know everything. But honestly, from what can be seen from outsider's point of view, I really don't know which candidate is worse. Neither of them is a person I'd be calm to see being elected as a supreme leader of nuclear (and other 'goodies') weaponry equipped army.
 

bit_user

Splendid
Ambassador
I was just talking about the voting. Given how the vote is decentralized, it's infeasible for Putin to rig a win for Trump, but all he has to do is plant some evidence in swing states of it being rigged for Hillary.

That will sew some chaos, and that's his goal. He wants to show the world (his own people, in particular) what bad idea this "democracy" thing really is. Taking us down a peg is just bonus.
 

alextheblue

Distinguished
Apr 3, 2001
3,078
106
20,970
2
He might not need to plant evidence, if they can tamper with the voting directly and then draw attention to it. That would shake voter confidence. I for one certainly don't trust our government to secure anything - and not just from a technological aspect. Our people are easily compromised too. But I digress... I think he's more interested in flaunting his own power, more so than elevating or taking down anyone else. I believe the reason he chose to attack Hillary has little to do with trying to get Trump elected, but rather he is sending the one more likely to win a message.
 
Status
Not open for further replies.

ASK THE COMMUNITY

TRENDING THREADS